This story is over 5 years old.


You're Probably Fine with SMS-Based Two-Factor Authentication

SMS-based two-factor authentication has got a lot of bad press recently. But the fact is the majority of people have a lot to gain from it.

Updated May 4, 2017: This piece was focused around a type of attack known as SIM-jacking. However, since its publication, financially-motivated hackers have grabbed banking two-factor authentication tokens using much more powerful SS7 attacks. For that reason, this piece, and its general advice, is largely out of date. You can read about the SS7 attacks here.

Using a phone to secure your email, Facebook, or other online accounts has got a lot of bad press recently. In June, hackers broke into the Twitter account of prominent Black Lives Matter activist DeRay McKesson, after tricking Verizon into redirecting his text messages to another SIM card. And then a month later, the US National Institute of Standards and Technology (NIST) advised companies to find an alternative to SMS two-factor authentication.


SMS messages can be intercepted in various different ways, including through the exploitation of vulnerabilities in the infrastructure of mobile networks, as well as by the use of IMSI-catchers, otherwise known as Stingrays. That's fine, but arguably statements like "SMS-based two factor authentication is insecure" trickle down into public consciousness, and those who really could benefit from linking a phone to their account may think it's a bad idea.

But the truth is that the vast majority of people would be much, much better off using SMS 2FA rather than using no two-factor method at all.

Here's a now common scenario: a website, say, a porn site, gets hacked, and hackers then trade and sell a database of email addresses, usernames and passwords. With a wad of login credentials, crooks can try and access each account.

Hackers often do this in an automated manner, using so-called configs to quickly churn through accounts on different sites and services; they don't necessarily care who the user actually is. In the end, there is very little stopping hackers from just logging into those accounts, or trying ones on other sites that share the same password or email address.

Unless those people affected have used two-factor authentication, that is. This adds another layer of protection onto the account: if someone tries to login from another physical location, or uses a different browser configuration, the website might notice. It will then send a code to the user's mobile phone which has to be entered before the account can be accessed. Presumably, the hacker has not stolen your phone too, so they're stumped.

This scenario is likely much more common than those that critics of SMS two-factor authentication have picked up on, such as an activist coming under targeted attack, or an intelligence agency sweeping up the verification text. That is not to undermine those examples, of course, but those individuals are clearly dealing with a another type of attack than most people. They have a different a threat model, and should take appropriate precautions. Maybe use a smartphone app so the code can't be intercepted through the mobile network, or a piece of hardware that plugs into your USB port?

"For most people, requiring your attacker to steal two things to get into your account instead of one is enough to get the attacker to move on to the easier target. And given that most people do not use any kind of 2FA at all, easier targets are plentiful," Eva Galperin, global policy analyst at activist group the Electronic Frontier Foundation, told me in an email.

Getting everyone just to use two-factor authentication at all is enough of an issue without scaring people away because they heard that SMS codes—often the default for many sites—is insecure. Maybe get people using those first, then worry about upgrading their security after that.